deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-mathavale-6063796

Browse Source
This commit is contained in:
Meghana Athavale
2022-08-25 17:52:01 +05:30
parent b367acc418 de082436d1
commit 990f37bfb0
390 changed files with 3695 additions and 3307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 03/10/2022
ms.date: 08/22/2022
ms.reviewer:
manager: dansimp
ms.custom: sasr
@ -30,6 +30,9 @@ Application Guard uses both network isolation and application-specific settings.
These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
> [!NOTE]
> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge.
> [!NOTE]
> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
@ -55,9 +58,8 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|-----------|------------------|-----------|-------|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher<p>Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. <p>**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.<p>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|

6
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -19,8 +19,8 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
- Windows 11
- Windows 10 Education, Enterprise, and Professional
- Windows 11 Education, Enterprise, and Professional
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions. <br/> Windows 11 |
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions. <br/> Windows 11 Education, Enterprise, and Professional |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |

68
windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
View File

@ -22,54 +22,61 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
ECDSA isn't supported.
If you have an internal CA, complete these steps to create a code signing certificate.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console.
![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png)
Figure 1. Manage the certificate templates
3. In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
3. In the navigation pane, right-click the Code Signing certificate, and then select **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**.
6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
7. On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
7. On the **Extensions** tab, select the **Basic Constraints** check box, and then select **Edit**.
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png)
Figure 2. Select constraints on the new template
9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
10. On the **Subject Name** tab, select **Supply in the request**.
11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
12. Click **OK** to create the template, and then close the Certificate Template Console.
12. Select **OK** to create the template, and then close the Certificate Template Console.
When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3.
![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png)
@ -77,38 +84,38 @@ When this certificate template has been created, you must publish it to the CA p
A list of available templates to issue appears, including the template you created.
2. Select the WDAC Catalog signing certificate, and then click **OK**.
2. Select the WDAC Catalog signing certificate, and then select **OK**.
Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then select **Request New Certificate**.
3. Click **Next** twice to get to the certificate selection list.
3. Select **Next** twice to get to the certificate selection list.
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png)
Figure 4. Get more information for your code signing certificate
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.**
6. Enroll and finish.
6. Enroll and finish.
>[!NOTE]
>If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file won't be required because it already exists in your personal store. If you're signing on another computer, you'll need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing will happen on the same computer you used to request the certificate, you can skip the following steps. If you'll be signing on another computer, you need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
1. Right-click the certificate, point to **All Tasks**, and then select **Export**.
2. Click **Next**, and then select **Yes, export the private key**.
2. Select **Next**, and then select **Yes, export the private key**.
3. Choose the default settings, and then select **Export all extended properties**.
3. Choose the default settings, and then select **Export all extended properties**.
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
@ -117,4 +124,3 @@ When the certificate has been exported, import it into the personal store for th
- [Windows Defender Application Control](windows-defender-application-control.md)
- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)

2
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -90,7 +90,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
|----------- | ----------- |
| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |

37
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -11,10 +11,10 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 06/27/2022
ms.date: 08/15/2022
ms.technology: windows-sec
---
@ -31,26 +31,29 @@ ms.technology: windows-sec
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created
- An internal CA code signing certificate or a purchased code signing certificate
> [!NOTE]
> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
>
>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created
- An internal CA code signing certificate or a purchased code signing certificate
If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
@ -64,12 +67,12 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
> [!NOTE]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the users personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
```powershell
cd $env:USERPROFILE\Desktop
```
@ -104,11 +107,11 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
```powershell
<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.

41
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender Application Control and .NET Hardening (Windows)
description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
title: Windows Defender Application Control and .NET (Windows)
description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@ -11,30 +11,43 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 06/15/2022
ms.date: 08/10/2022
ms.technology: windows-sec
---
# Windows Defender Application Control and .NET hardening
# Windows Defender Application Control (WDAC) and .NET
Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those sets approved by an organization.
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NETs capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it.
The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the WDAC EA isn't valid or missing, use any of the following strategies:
1. Work with the app developer to pre-compile their NI and digitally sign it. Then, ensure your WDAC policies allow that signature;
2. Run *ngen.exe update* to force .NET to regenerate all NI files immediately after applying changes to your WDAC policies;
3. [Create and sign a catalog file](/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control) for the native images
## WDAC and .NET hardening
Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/aspnet/web-forms/overview/older-versions-getting-started/deploying-web-site-projects/precompiling-your-website-cs) document for how to fix that.
Additionally, customers can precompile for deployment only to prevent an allowed executable from being terminated because it tries to load unsigned dynamically generated code. See the "Precompiling for Deployment Only" section in the [ASP.NET Precompilation Overview](/previous-versions/aspnet/bb398860(v=vs.100)) document for how to fix that.
To enable Dynamic Code Security, add the following option to the `<Rules>` section of your policy:
To enable Dynamic Code Security, add the following option to the `<Rules>` section of your WDAC policy:
```xml
<Rule>

18
windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -2,28 +2,30 @@
title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Add Production Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.

18
windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -2,28 +2,30 @@
title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Add Test Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.

18
windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -2,28 +2,30 @@
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).

18
windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
View File

@ -2,28 +2,30 @@
title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Assign Security Group Filters to the GPO
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.

18
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -2,27 +2,29 @@
title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization.

12
windows/security/threat-protection/windows-firewall/best-practices-configuring.md
View File

@ -6,14 +6,20 @@ ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: maccruz
author: schmurky
ms.author: paoloma
author: paolomatarazzo
ms.localizationpriority: medium
manager: dansimp
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Best practices for configuring Windows Defender Firewall

18
windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
View File

@ -2,28 +2,30 @@
title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Boundary Zone GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.

20
windows/security/threat-protection/windows-firewall/boundary-zone.md
View File

@ -2,28 +2,30 @@
title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Boundary Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.

18
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Certificate-based Isolation Policy Design Example
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).

18
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Certificate-based isolation policy design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.

18
windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
View File

@ -2,28 +2,30 @@
title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Change Rules from Request to Require Mode
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Basic Firewall Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for an Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Boundary Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Encryption Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Isolated Domain
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Creating Group Policy Objects
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.

18
windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Creating Inbound Firewall Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for creating firewall rules in your GPOs.

18
windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Creating Outbound Firewall Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for creating outbound firewall rules in your GPOs.

18
windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Implementing a Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Implementing a Domain Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).

18
windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
View File

@ -2,28 +2,30 @@
title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure Authentication Methods
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.

18
windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
View File

@ -2,28 +2,30 @@
title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure Data Protection (Quick Mode) Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.

18
windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -2,28 +2,30 @@
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure Group Policy to Autoenroll and Deploy Certificates
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.

18
windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
View File

@ -2,28 +2,30 @@
title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure Key Exchange (Main Mode) Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.

14
windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
View File

@ -2,20 +2,26 @@
title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure the Rules to Require Encryption

18
windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -2,28 +2,30 @@
title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.

18
windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
View File

@ -2,25 +2,27 @@
title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.reviewer: jekrynit
manager: aaroncz
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
author: paolomatarazzo
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure the Workstation Authentication Certificate Template
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.

18
windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -2,28 +2,30 @@
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.

18
windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
View File

@ -2,28 +2,30 @@
title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: securit
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Confirm That Certificates Are Deployed Correctly
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.

18
windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -2,28 +2,30 @@
title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Copy a GPO to Create a New GPO
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.

18
windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
View File

@ -2,28 +2,30 @@
title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create a Group Account in Active Directory
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.

18
windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
View File

@ -2,28 +2,30 @@
title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create a Group Policy Object
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.

18
windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Authentication Exemption List Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.

14
windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
View File

@ -2,20 +2,26 @@
title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Authentication Request Rule

18
windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Inbound ICMP Rule (Windows)
description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Inbound ICMP Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.

18
windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Inbound Port Rule (Windows)
description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Inbound Port Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.

18
windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Inbound Program or Service Rule (Windows)
description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules.
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Inbound Program or Service Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.

18
windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Outbound Port Rule (Windows)
description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Outbound Port Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.

18
windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
View File

@ -1,24 +1,26 @@
---
title: Create an Outbound Program or Service Rule (Windows)
description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create an Outbound Program or Service Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.

18
windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
View File

@ -1,24 +1,26 @@
---
title: Create Inbound Rules to Support RPC (Windows)
description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create Inbound Rules to Support RPC
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.

18
windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
View File

@ -1,23 +1,25 @@
---
title: Create Windows Firewall rules in Intune (Windows)
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create Windows Firewall rules in Intune
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!IMPORTANT]
>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

18
windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
View File

@ -1,24 +1,26 @@
---
title: Create WMI Filters for the GPO (Windows)
description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Create WMI Filters for the GPO
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.

18
windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -1,24 +1,26 @@
---
title: Designing a Windows Defender Firewall Strategy (Windows)
description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Designing a Windows Defender Firewall with Advanced Security Strategy
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.

18
windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
View File

@ -1,24 +1,26 @@
---
title: Determining the Trusted State of Your Devices (Windows)
description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Determining the Trusted State of Your Devices
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status.

18
windows/security/threat-protection/windows-firewall/documenting-the-zones.md
View File

@ -1,24 +1,26 @@
---
title: Documenting the Zones (Windows)
description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Documenting the Zones
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:

18
windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
View File

@ -1,24 +1,26 @@
---
title: Domain Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Domain Isolation Policy Design Example
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams.

18
windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
View File

@ -1,24 +1,26 @@
---
title: Domain Isolation Policy Design (Windows)
description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Domain Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain.

18
windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
View File

@ -1,24 +1,26 @@
---
title: Enable Predefined Inbound Rules (Windows)
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Enable Predefined Inbound Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.

18
windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
View File

@ -1,24 +1,26 @@
---
title: Enable Predefined Outbound Rules (Windows)
description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Enable Predefined Outbound Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.

18
windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
View File

@ -1,24 +1,26 @@
---
title: Encryption Zone GPOs (Windows)
description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Encryption Zone GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section.

18
windows/security/threat-protection/windows-firewall/encryption-zone.md
View File

@ -1,24 +1,26 @@
---
title: Encryption Zone (Windows)
description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Encryption Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices.

18
windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
View File

@ -1,24 +1,26 @@
---
title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Evaluating Windows Defender Firewall with Advanced Security Design Examples
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.

18
windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
View File

@ -1,24 +1,26 @@
---
title: Exempt ICMP from Authentication (Windows)
description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Exempt ICMP from Authentication
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.

18
windows/security/threat-protection/windows-firewall/exemption-list.md
View File

@ -1,24 +1,26 @@
---
title: Exemption List (Windows)
description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Exemption List
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.

14
windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
View File

@ -1,17 +1,23 @@
---
title: Filter origin audit log improvements
description: Filter origin documentation audit log improvements
ms.reviewer:
ms.author: v-bshilpa
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: normal
author: Benny-54
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Filter origin audit log improvements

18
windows/security/threat-protection/windows-firewall/firewall-gpos.md
View File

@ -1,24 +1,26 @@
---
title: Firewall GPOs (Windows)
description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Firewall GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.

18
windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
View File

@ -1,24 +1,26 @@
---
title: Basic Firewall Policy Design Example (Windows)
description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Basic Firewall Policy Design Example
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In this example, the fictitious company Woodgrove Bank is a financial services institution.

14
windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md
View File

@ -1,17 +1,23 @@
---
title: Troubleshooting Windows Firewall settings after a Windows upgrade
description: Firewall settings lost on upgrade
ms.reviewer:
ms.author: v-bshilpa
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: Benny-54
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection:
- m365-security-compliance
- m365-initiative-windows-security
ms.topic: troubleshooting
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Troubleshooting Windows Firewall settings after a Windows upgrade

18
windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
View File

@ -1,24 +1,26 @@
---
title: Gathering Information about Your Active Directory Deployment (Windows)
description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Gathering Information about Your Active Directory Deployment
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Active Directory is another important item about which you must gather information. You must understand the forest structure. This structure includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:

18
windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
View File

@ -1,24 +1,26 @@
---
title: Gathering Info about Your Network Infrastructure (Windows)
description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Gathering Information about Your Current Network Infrastructure
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:

18
windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
View File

@ -1,24 +1,26 @@
---
title: Gathering Information about Your Devices (Windows)
description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Gathering Information about Your Devices
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.

18
windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
View File

@ -1,24 +1,26 @@
---
title: Gathering Other Relevant Information (Windows)
description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Gathering Other Relevant Information
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This topic discusses several other things that you should examine to see whether they'll cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.

18
windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
View File

@ -1,24 +1,26 @@
---
title: Gathering the Information You Need (Windows)
description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Gathering the Information You Need
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information isn't accurate, problems can occur when devices and devices that weren't considered during the planning phase are encountered during implementation.

18
windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
View File

@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_Boundary (Windows)
description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# GPO\_DOMISO\_Boundary
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.

14
windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
View File

@ -1,16 +1,22 @@
---
title: GPO\_DOMISO\_Encryption\_WS2008 (Windows)
description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests.
ms.reviewer:
ms.author: dansimp
author: dansimp
manager: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.prod: m365-security
ms.localizationpriority: medium
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# GPO\_DOMISO\_Encryption\_WS2008

18
windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
View File

@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_Firewall (Windows)
description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# GPO\_DOMISO\_Firewall
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall
with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.

18
windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
View File

@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows)
description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# GPO\_DOMISO\_IsolatedDomain\_Clients
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.

18
windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
View File

@ -1,24 +1,26 @@
---
title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows)
description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# GPO\_DOMISO\_IsolatedDomain\_Servers
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to server devices that are running at least Windows Server 2008.

18
windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
View File

@ -1,23 +1,25 @@
---
title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows)
description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Identifying Windows Defender Firewall with Advanced Security implementation goals
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios.

18
windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
View File

@ -1,24 +1,26 @@
---
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following are important factors in the implementation of your Windows Defender Firewall design plan:

18
windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
View File

@ -1,24 +1,26 @@
---
title: Isolated Domain GPOs (Windows)
description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Isolated Domain GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.

14
windows/security/threat-protection/windows-firewall/isolated-domain.md
View File

@ -1,16 +1,22 @@
---
title: Isolated Domain (Windows)
description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Isolated Domain

18
windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
View File

@ -3,22 +3,24 @@ title: Isolating Microsoft Store Apps on Your Network (Windows)
description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Isolating Microsoft Store Apps on Your Network
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.

18
windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
View File

@ -1,24 +1,26 @@
---
title: Link the GPO to the Domain (Windows)
description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Link the GPO to the Domain
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.

18
windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
View File

@ -1,24 +1,26 @@
---
title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows)
description: Mapping your implementation goals to a Windows Firewall with Advanced Security design
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Mapping your implementation goals to a Windows Firewall with Advanced Security design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design.
> [!IMPORTANT]

18
windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
View File

@ -1,24 +1,26 @@
---
title: Modify GPO Filters (Windows)
description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.

18
windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
View File

@ -1,24 +1,26 @@
---
title: Open the Group Policy Management Console to IP Security Policies (Windows)
description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Open the Group Policy Management Console to IP Security Policies
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).

18
windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
View File

@ -1,24 +1,26 @@
---
title: Group Policy Management of Windows Firewall with Advanced Security (Windows)
description: Group Policy Management of Windows Firewall with Advanced Security
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Group Policy Management of Windows Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.

18
windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
View File

@ -1,24 +1,26 @@
---
title: Group Policy Management of Windows Defender Firewall (Windows)
description: Group Policy Management of Windows Defender Firewall with Advanced Security
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Group Policy Management of Windows Defender Firewall
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To open a GPO to Windows Defender Firewall:

18
windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
View File

@ -1,24 +1,26 @@
---
title: Open Windows Defender Firewall with Advanced Security (Windows)
description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Open Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.

18
windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
View File

@ -1,24 +1,26 @@
---
title: Planning Certificate-based Authentication (Windows)
description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Certificate-based Authentication
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication.

18
windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
View File

@ -1,24 +1,26 @@
---
title: Planning Domain Isolation Zones (Windows)
description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Domain Isolation Zones
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment.

18
windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
View File

@ -1,24 +1,26 @@
---
title: Planning GPO Deployment (Windows)
description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning GPO Deployment
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can control which GPOs are applied to devices in Active Directory in a combination of three ways:

18
windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
View File

@ -1,24 +1,26 @@
---
title: Planning Group Policy Deployment for Your Isolation Zones (Windows)
description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Group Policy Deployment for Your Isolation Zones
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan.

18
windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
View File

@ -1,24 +1,26 @@
---
title: Planning Isolation Groups for the Zones (Windows)
description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Isolation Groups for the Zones
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone.

18
windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
View File

@ -1,24 +1,26 @@
---
title: Planning Network Access Groups (Windows)
description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Network Access Groups
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.

18
windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
View File

@ -1,24 +1,26 @@
---
title: Planning Server Isolation Zones (Windows)
description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Server Isolation Zones
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.

18
windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
View File

@ -1,24 +1,26 @@
---
title: Planning Settings for a Basic Firewall Policy (Windows)
description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning Settings for a Basic Firewall Policy
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.

18
windows/security/threat-protection/windows-firewall/planning-the-gpos.md
View File

@ -1,24 +1,26 @@
---
title: Planning the GPOs (Windows)
description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout.
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/08/2021
ms.technology: windows-sec
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
---
# Planning the GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.

Some files were not shown because too many files have changed in this diff Show More